Luxembourg: it’s tiny, it’s got its own law and regulation to a point: it’s also at the heart of the EU’s legislative and regulatory process. So, while a decision in a Luxembourg court is not binding on all other EU states, it is highly persuasive.
Sometimes, a national court such as those in Luxembourg do not make a decision. It will, in effect, certify that this is a matter of European, not domestic law and that it should therefore be determined by the EU’s own court. And so it refers the case, ultimately, to the Grand Chamber of the European Court of Justice. This is the EU’s most senior court. What happens here, is applied across the EU and, depending on circumstances, in the UK despite its withdrawal.
A challenge to EU law made in Luxembourg is, therefore, a big deal. Note, when reading, that the system of law and the courts systems across much of the EU is very different to that in Common Law countries including the UK and Ireland.
In January and October 2020, two cases were issued in the tribunal d’arrondissement de Luxembourg (Luxembourg District Court, Luxembourg) in cases numbered C‑37/20 and C‑601/20. Immediately, requests were made for ″preliminary rulings″ which are, for all intents and purposes the District Court saying ″this is too big to us, let’s send it upstairs″
On 22 November, 2022 the Grand Chamber made a ″preliminary ruling″ under the consolidated number C‑37/20
It is perhaps easiest to view its status as the opinion of the court. If we were to think of it in terms of American court process, we would say that there were many Amicus Briefs filed – that is representations by persons who, while not parties, have an interest in the outcome of the case.
In this case, the list of such persons is both long and impressive:
There were a couple of law firms and
– the Luxembourg Government
– the Austrian Government
– the Finnish Government
– the Norwegian Government
– the European Parliament
– the Council of the European Union
– the European Commission
– the European Data Protection Supervisor
The cases challenge EU Directive 2018/843, more commonly known as the Fifth Money Laundering Directive or MLD V. This is the Directive that requires members of the EU and the EEA to establish registers of so-called beneficial ownership. It was not popular and countries didn’t fall over themselves in a rush to comply before the deadline and when they did eventually comply, there was a core of compatibility but not uniformity across the entire EU/EEA.
Let’s be clear: even those within the EU/EEA that have tried to minimise the effect of the Directive in this area have far, far more comprehensive and far, far more publicly available information on, in particular, corporations than that proposed in the USA.
The EU’s stated intention with regard to the establishment of such registers was because ″[it is necessary] to further increase the overall transparency of the economic and financial environment of the Union.″
This, as with many aspects of modern law, was justified by saying ″The prevention of money laundering and of terrorist financing cannot be effective unless the environment is hostile to criminals seeking shelter for their finances through non-transparent structures. The integrity of the Union financial system is dependent on the transparency of corporate and other legal entities, trusts and similar legal arrangements. This Directive aims not only to detect and investigate money laundering, but also to prevent it from occurring. Enhancing transparency could be a powerful deterrent.″
The EU in its preamble to MLD VI went on to claim that ″Public access to beneficial ownership information allows greater scrutiny of information by civil society, including by the press or civil society organisations″ which is pretty much straight out of Germany’s broad-left playbook and ″Confidence in financial markets from investors and the general public depends in large part on the existence of an accurate disclosure regime that provides transparency in the beneficial ownership and control structures of companies″ which is not very well thought out because this relates to public companies – and mostly they were already covered or were left out on purpose.
We’ve seen it all before: big bold words calling the name of some nebulous harm as justification for what is, in fact, an increase in centralisation and bureaucracy. That is not to say that it’s a bad thing – but if it is really so important it should have been dealt with in MLD1 in 1991.
But, the EU did go on to recognise that there are legitimate rights to privacy, albeit eroded.
″with regard to corporate and other legal entities, as well as trusts and similar legal arrangements, a fair balance should be sought in particular between the general public interest in the prevention of money laundering and terrorist financing and the data subjects’ fundamental rights. The set of data to be made available to the public should be limited, clearly and exhaustively defined, and should be of a general nature, so as to minimise the potential prejudice to the beneficial owners. At the same time, information made accessible to the public should not significantly differ from the data currently collected….. Moreover, with the aim of ensuring a proportionate and balanced approach and to guarantee the rights to private life and personal data protection, it should be possible for Member States to provide for exemptions to the disclosure through the registers of beneficial ownership information and to access to such information, in exceptional circumstances, where that information would expose the beneficial owner to a disproportionate risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation.″
It also provided that such information as is made publicly available may, if jurisdictions want, to be available only on-line, upon payment of a fee, by persons who are registered and identified.
It follows, then, that while the impression of the law has always been that it was radical, actually, for some countries it did almost nothing. But in those countries where there was no, or limited, central register of companies and their ownership (e.g. because companies are registered at ″départments″, as in France) this was a big deal.
The cases claimed that ownership information is personal data and therefore subject to the General Data Protection Regulation (2016/679) . Note that this is a ″Regulation″ not a Directive and EU and EEA jurisdictions have no right of ″derogation.″ The growing use of Regulations is one of the reasons behind the UK’s decision to leave the EU. Regulations impose law, outside the Parliamentary process, and result in significant loss of sovereignty.
The EU anticipated that questions about data protection would arise. In MLDIV, it says ″ [The GDPR] applies to the processing of personal data under this Directive. As a consequence, natural persons whose personal data are held in national registers as beneficial owners should be informed accordingly. Furthermore, only personal data that is up to date and corresponds to the actual beneficial owners should be made available and the beneficiaries should be informed about their rights under the current Union legal data protection framework … and the procedures applicable for exercising those rights. In addition, to prevent the abuse of the information contained in the registers and to balance out the rights of beneficial owners, Member States might find it appropriate to consider making information relating to the requesting person along with the legal basis for their request available to the beneficial owner.’″
This is not something that any member state, so far as I recall, has implemented. Certainly, in the UK, it is far, far away from the reality as Companies House allows its records to be trawled, reproduced – and sold – by companies engaging bots for the purposes of so doing.
For those who are not familiar with EU law, it’s worth explaining that a Directive is essentially a Federal Act. A Directive requires national legislatures to pass local law to implement it. It has gone through a parliamentary process and individual member states have rights of derogation which, essentially, means that a state, for itself but not for others, may vary the Directive to any extent that it deems appropriate for its national interest, institutions or customs. In extreme cases, a member state may, at least in theory, say ″we’re not having that at all.″ It is this that the EU decided to prevent when it created the regime for making Regulations which are, in effect, direct rule.
The industry which was first targeted for Regulations was financial services and banking in particular. May viewed this as a means of preferring Frankfurt over London, a view which some will say has been vindicated by recent claims that Frankfurt has overtaken London in terms of its standing as a financial centre.
The status, then, of the Money Laundering Directives and the GDPR, are very different in both law and implementation.
The challenge in the instant case referred to the implementation of the Directive by the Luxembourg authorities. The local implementation law (2 January 2019 to institute a registration of beneficial ownership) says this:
‘The following information on the beneficial owners of registered entities must be entered and retained in the Register of Beneficial Ownership:
3° nationality (or nationalities);
4° day of birth;
5° month of birth;
6° year of birth;
7° place of birth;
8° country of residence;
9° complete private or professional address …
10° for persons registered in the National Register of Natural Persons, the identification number …;
11° for non-residents who are not registered in the National Register of Natural Persons, a foreign identification number;
12° the nature of the beneficial interests held;
13° the extent of the beneficial interests held.’
(extracted from the judgment).
The register is not, under the Directive, a comprehensive register of ownership. It says ″in the case of corporate entities:
(i) the natural person(s) who ultimately owns or controls a legal entity through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that entity″ or, if, after having exhausted all possible means and provided there are no grounds for suspicion, no person under point (i) is identified, or if there is any doubt that the person(s) identified are the beneficial owner(s), the natural person(s) who hold the position of senior managing official(s).″
GDPR relates to information (″data″) that refers to natural persons i.e. personal information. The ″sufficient percentage″ is that set by each country (often at or about 25% which I have advised since the mid 1990s should be set for KYC purposes at 10% - big accountancy companies argued for 25% and their lax standard is what has been adopted) and is usually termed something like ″persons with significant control″.
The Directive also requires corporations and other legal entities to ″obtain and hold adequate, accurate and current information on their beneficial ownership, including the details of the beneficial interests.″
That’s the background. Here’s the legal case.
1. That it is inconsistent with GDPR that member states must ″ensure that information on the beneficial ownership of companies and of other legal entities incorporated within their territory is accessible in all cases to any member of the general public.″ Moreover, it is inconsistent with the Charter of MLD V which, the Judgment says ″Article 7 of the Charter guarantees everyone the right to respect for his or her private and family life, home and communications, while Article 8(1) of the Charter expressly confers on everyone the right to the protection of personal data concerning him or her.″
The Court found that the information collected is data of a personal nature; that is is of no relevance ″in that respect″ that the data concerned may relate to activities of a professional nature and that the making of such data available to the public constitutes the processing of personal data under Article 8 of the Charter. The Court refers to prior judgments which it says are influential.
The Court also found ″as is apparent from the Court’s settled case-law, making personal data available to third parties constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, whatever the subsequent use of the information communicated. In that connection, it does not matter whether the information in question relating to private life is sensitive or whether the persons concerned have been inconvenienced in any way on account of that interference (judgment of 21 June 2022, Ligue des droits humains, C‑817/19, EU:C:2022:491, paragraph 96 and the case-law cited).″
Therefore, while collecting the data is not of itself contrary to EU law, it is the publication of that data which is unlawful ″the general public’s access to information on beneficial ownership, provided for in Article 30(5) of Directive 2015/849 as amended, constitutes an interference with the rights guaranteed in Articles 7 and 8 of the Charter.″
The logic is infallible: see paragraph 41 ″As regards the seriousness of that interference, it is important to note that, in so far as the information made available to the general public relates to the identity of the beneficial owner as well as to the nature and extent of the beneficial interest held in corporate or other legal entities, that information is capable of enabling a profile to be drawn up concerning certain personal identifying data more or less extensive in nature depending on the configuration of national law, the state of the person’s wealth and the economic sectors, countries and specific undertakings in which he or she has invested.″
And then, by extension, the logical explanation is used to demonstrate the potential harms ″In addition, it is inherent in making that information available to the general public in such a manner that it is then accessible to a potentially unlimited number of persons, with the result that such processing of personal data is liable to enable that information to be freely accessed also by persons who, for reasons unrelated to the objective pursued by that measure, seek to find out about, inter alia, the material and financial situation of a beneficial owner (see, by analogy, judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C‑184/20, EU:C:2022:601, paragraphs 102 and 103). That possibility is all the easier when, as is the case in Luxembourg, the data in question can be consulted on the internet…… Furthermore, the potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated and that, in the event of such successive processing, it becomes increasingly difficult, or even illusory, for those data subjects to defend themselves effectively against abuse.″
Having established that the use is, prima facie, unlawful, the Court then went on to consider whether there was a justification for the interference. It said ″no″ because the Directive failed to establish that such interference was justifiable ″only if they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others.″
But the Court did find that the interference was not illegal, i.e. that the principles of ″legality″ had been met. For those who think that ″legal″ and ″lawful″ or ″illegal″ and ″unlawful″ are interchangeable, it’s time to learn some law because this case proves you are wrong. Legislative draftsmen in many countries, including the UK, make this very important mistake.
The Court explained that the information collected may fall ″into two distinct categories of data.″ One is data relating to the identity of the beneficial owner. The other is economic data (the nature of extent of the beneficial interest held).
The Directive does not, the Court found, create an exhaustive (i.e. comprehensive) list of the data that should be collected. The use of the words ″at least″ indicate that member states are at liberty to collect such additional information as they think necessary. Luxembourg’s list, above, requires information not required in the UK, for example. But there’s a catch: ″the fact remains that, in accordance with Article 30(1), only ‘adequate’ information on beneficial owners and beneficial interests held may be obtained, held and, therefore, potentially made accessible to the public, which excludes, inter alia, information which is not adequately related to the purposes of that directive.″
The conclusion on this point is ″it does not appear that making available to the general public information which is so related would in any way undermine the essence of the fundamental rights guaranteed in Articles 7 and 8 of the Charter″ and ″the interference entailed by the general public’s access to information on beneficial ownership provided for in point (c) of the first subparagraph of Article 30(5) of Directive 2015/849 as amended does not undermine the essence of the fundamental rights enshrined in Articles 7 and 8 of the Charter.″
There are several complex legal points which are of general application such as whether the European Commission ″had considered proposing a uniform definition of ‘legitimate interest’″ The Commission said ″the criterion of ‘legitimate interest’ was a concept which did not lend itself easily to a legal definition and that, while it had considered the possibility of proposing a uniform definition of that criterion, it had ultimately decided not to do so on the ground that the criterion, even if defined, remained difficult to apply and that its application could give rise to arbitrary decisions.″
Common Lawyers, who have had a tough time with the EU’s habit of codifying everything will be dancing in the streets at such a statement because what it means is that legislation has its limitations and it is the function of the courts to apply law with regard to individual circumstances, having regard to precedent.
The Court considered the specific claim that the release of such information allows its use by ″civil society″ and ″press and civil society organisations that are connected with the prevention and combating of money laundering and terrorist financing have a legitimate interest in accessing information on beneficial ownership.″
It also considered what I would say is a far more relevant use case: ″who wish to know the identity of the beneficial owners of a company or other legal entity because they are likely to enter into transactions with them, or of the financial institutions and authorities involved in combating offences of money laundering or terrorist financing, in so far as those entities do not already have access to the information.″
The Court specifically dismissed the general waffle in the preamble to MLD V which said that access to such information ″‘can contribute’ to combating the misuse of corporate and other legal entities and that it ‘would also help’ criminal investigations, it must be found that such considerations are also not such as to demonstrate that that measure is strictly necessary to prevent money laundering and terrorist financing.″ In effect, the Court said ″if you think that, prove it, don’t expect us to take your vague statements as immutable truth.″
Here’s one of the statements that shows the Court’s displeasure: ″ In the light of the foregoing, it cannot be considered that the interference with the rights guaranteed in Articles 7 and 8 of the Charter, which results from the general public’s access to information on beneficial ownership, is limited to what is strictly necessary.″
Translation: don’t be sloppy when you draft legislation, don’t think vague statements constitute law, don’t write laws in isolation or silos and without full regard and provision for interaction with other laws or for the consequences of the new law.
That, the European Commission argued is what it did, taking care, it said, ″to specify that the set of data made available to the public must be limited, clearly and exhaustively defined, and must be of a general nature, so as to minimise the potential prejudice to beneficial owners.″ Further, both the Council and the Commission argued that it’s not their fault because ″the principle that the general public should have access to information on beneficial ownership may be derogated from..[because] provides that in ‘exceptional circumstances’, ‘Member States may provide for an exemption from such access to all or part of the information on the beneficial ownership on a case-by-case basis’ where the general public’s access to that information ‘would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or otherwise legally incapable’.
Translation: the Council and the Commission argue ″information should be available unless, in individual cases, there is reason for it not to be.″ That’s even by the standards of the Council and the Commission is facile – who is going to make that decision and who will pay for it to be considered?
The Court didn’t bother to respond to that nonsense. Instead it provided an all-encompassing answer relating to, in particular money laundering and terrorist financing ″it must be held that although in view of its importance that objective is, as found in paragraph 59 above, capable of justifying even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter, the fact remains that, first, combating money laundering and terrorist financing is as a priority a matter for the public authorities and for entities such as credit or financial institutions which, by reason of their activities, are subject to specific obligations in that regard.″
In short, it’s a matter for national governments and regulated entities which are subject to specific obligations.
Here, the Court was sympathetic: ″it is for that reason that points (a) and (b) of the first subparagraph of Article 30(5) of Directive 2015/849 as amended provide that information on beneficial ownership must be accessible, in all cases, to competent authorities and Financial Intelligence Units, without any restriction, as well as to obliged entities, within the framework of customer due diligence.″
The Court found that the optional provision that says that states may require those interrogating the data must register and be identified does not demonstrate ″ither a proper balance between the objective of general interest pursued and the fundamental rights enshrined in Articles 7 and 8 of the Charter, or the existence of sufficient safeguards enabling data subjects to protect their personal data effectively against the risks of abuse.″
The Court did not strike out the principle of company registries. It struck out an amendment to previous law. The amendment is in MLD V at Article 1(15)(c) .
The amendment says ″paragraph 6 is replaced by the following:
‘6. Member States shall ensure that competent authorities and FIUs have timely and unrestricted access to all information held in the central register referred to in paragraph 3 without alerting the entity concerned. Member States shall also allow timely access by obliged entities when taking customer due diligence measures in accordance with Chapter II.
Competent authorities granted access to the central register referred to in paragraph 3 shall be those public authorities with designated responsibilities for combating money laundering or terrorist financing, as well as tax authorities, supervisors of obliged entities and authorities that have the function of investigating or prosecuting money laundering, associated predicate offences and terrorist financing, tracing and seizing or freezing and confiscating criminal assets.’;
The paragraph in MLD IV that was replaced, and is now restored, says ″ Member States shall ensure that the information on the beneficial ownership is accessible in all cases to:
competent authorities and FIUs, without any restriction;
obliged entities, within the framework of customer due diligence in accordance with Chapter II;
any person or organisation that can demonstrate a legitimate interest.
The persons or organisations referred to in point (c) shall access at least the name, the month and year of birth, the nationality and the country of residence of the beneficial owner as well as the nature and extent of the beneficial interest held.
For the purposes of this paragraph, access to the information on beneficial ownership shall be in accordance with data protection rules and may be subject to online registration and to the payment of a fee. The fees charged for obtaining the information shall not exceed the administrative costs thereof.″
So, what has actually been lost by the declaration that the amendment is invalid? Just this: open and free access to personal records by any and all persons. The ″regulated sector″ loses nothing.
The UK, since its withdrawal from the EU, is not subject to rulings in the European Court of Justice. However, as part of the withdrawal (the so-called ″Brexit″) process, the UK continued to keep on the statute books the vast majority of EU derived law. That includes laws made under the Money Laundering Directive and the GDPR.
Therefore, although the case does not have direct application to the UK, it is highly relevant. It is an irony that the UK, which has a history of complying with Directives more quickly and more closely than almost any other EU member state will now have to decide whether to change national law to comply with a decision of a court the authority of which it does not recognise domestically and to which it is not subject. That, as lawyers will point out, is the essence of persuasive precedent.
The case file is here: https://curia.europa.eu/juris/documents.jsf?num=C-37/20%20
Directive EU 2018/843 (MLD V) is here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018L0843
DIRECTIVE (EU) 2015/849 MLD IV is here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L0849
The EU’s explanation of where the Court of Justice fits in the EU’s legal system is here: https://curia.europa.eu/jcms/jcms/Jo2_7024/en/